| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200730105546.24268-1-jslaby@suse.cz>
Date: Thu, 30 Jul 2020 12:55:46 +0200
From: Jiri Slaby <jslaby@...e.cz>
To: gregkh@...uxfoundation.org
Cc: linux-serial@...r.kernel.org, linux-kernel@...r.kernel.org,
Jiri Slaby <jslaby@...e.cz>, Jiri Kosina <jikos@...nel.org>
Subject: [PATCH] tty: keyboard, do not speculate on func_table index
It is very unlikely for processor to speculate on the func_table index.
The index is uchar and func_table is of size 256. So the compiler would
need to screw up and generate a really bad code.
But to stay on the safe side, forbid speculation on this user passed
index.
Signed-off-by: Jiri Slaby <jslaby@...e.cz>
Cc: Jiri Kosina <jikos@...nel.org>
---
drivers/tty/vt/keyboard.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index f80199984ee0..0db53b5b3acf 100644
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -32,6 +32,7 @@
#include <linux/tty.h>
#include <linux/tty_flip.h>
#include <linux/mm.h>
+#include <linux/nospec.h>
#include <linux/string.h>
#include <linux/init.h>
#include <linux/slab.h>
@@ -2019,7 +2020,7 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
goto reterr;
}
kbs->kb_string[sizeof(kbs->kb_string)-1] = '\0';
- i = kbs->kb_func;
+ i = array_index_nospec(kbs->kb_func, MAX_NR_FUNC);
switch (cmd) {
case KDGKBSENT:
--
2.28.0
Powered by blists - more mailing lists